[Feature] Add ability to get additional policies from restricted (#4416)

* Add includeRestrictedPolicies function
* Add Test Case

Signed-off-by: dschunack <dschunack@web.de>

charts/kyverno-policies/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 type: application
 name: kyverno-policies
-version: v2.5.4
+version: v2.5.5
 appVersion: v1.7.3
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Kubernetes Pod Security Standards implemented as Kyverno policies
@@ -33,3 +33,5 @@ annotations:
       description: Support for failurePolicy setting in kyverno-policies helm chart
     - kind: added
       description: Add posibility to set validationFailureAction by Policy
+    - kind: added
+      description: Added ability to get additional policies from restricted

charts/kyverno-policies/README.md

@@ -2,7 +2,7 @@
 
 Kubernetes Pod Security Standards implemented as Kyverno policies
 
-![Version: v2.5.4](https://img.shields.io/badge/Version-v2.5.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.3](https://img.shields.io/badge/AppVersion-v1.7.3-informational?style=flat-square)
+![Version: v2.5.5](https://img.shields.io/badge/Version-v2.5.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.3](https://img.shields.io/badge/AppVersion-v1.7.3-informational?style=flat-square)
 
 ## About
 
@@ -67,6 +67,7 @@ The command removes all the Kubernetes components associated with the chart and
 | podSecuritySeverity | string | `"medium"` | Pod Security Standard (`low`, `medium`, `high`). |
 | podSecurityPolicies | list | `[]` | Policies to include when `podSecurityStandard` is `custom`. |
 | includeOtherPolicies | list | `[]` | Additional policies to include from `other`. |
+| includeRestrictedPolicies | list | `[]` | Additional policies to include from `restricted`. |
 | failurePolicy | string | `"Fail"` | API server behavior if the webhook fails to respond ('Ignore', 'Fail') For more info: https://kyverno.io/docs/writing-policies/policy-settings/ |
 | validationFailureAction | string | `"audit"` | Validation failure action (`audit`, `enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
 | validationFailureActionByPolicy | object | `{}` | Define validationFailureActionByPolicy for specific policies. Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. |

charts/kyverno-policies/ci/test-values.yaml

@@ -1,6 +1,8 @@
 podSecurityStandard: restricted
 includeOtherPolicies:
 - require-non-root-groups
+includeRestrictedPolicies:
+- require-run-as-non-root-user
 validationFailureActionByPolicy:
   require-non-root-groups: enforce
 validationFailureActionOverrides:

charts/kyverno-policies/templates/_helpers.tpl

@@ -40,6 +40,8 @@ helm.sh/chart: {{ template "kyverno-policies.chart" . }}
 {{- true }}
 {{- else if and (eq .Values.podSecurityStandard "custom") (has .name .Values.podSecurityPolicies) }}
 {{- true }}
+{{- else if has .name .Values.includeRestrictedPolicies }}
+{{- true }}
 {{- else -}}
 {{- false }}
 {{- end -}}

charts/kyverno-policies/values.yaml

@@ -12,6 +12,10 @@ podSecurityPolicies: []
 includeOtherPolicies: []
 # - require-non-root-groups
 
+# -- Additional policies to include from `restricted`.
+includeRestrictedPolicies: []
+# - require-run-as-non-root-user
+
 # -- API server behavior if the webhook fails to respond ('Ignore', 'Fail')
 # For more info: https://kyverno.io/docs/writing-policies/policy-settings/
 failurePolicy: Fail